A lot of questions about CERT, PKA and make-dns-cert

Dan Mahoney, System Admin danm at prime.gushi.org
Wed Oct 21 11:44:55 CEST 2009

On Wed, 21 Oct 2009, David Shaw wrote:

> You didn't give an actual version number (run gpg2 --version), so I can only 
> make an educated guess, but I do think I see your problem.  You don't have 
> one key in your CERT - you have two (309C17C5 and 624BB249) combined into one 
> DNS record.  That doesn't work - it's a one-name-one-key mapping.  We should 
> give a better error message in this case.

Aah, yes, there we go.  Now it seems to work on all my systems.  For some 
reason I assumed --export would just pick one key to match on, just as 
--delete-keys does.  Note there's still a secondary key, hence my 

So far, the commands for a PGP CERT are:

gpg --list-keys gushi at gushi.org
(read, get key id)
gpg2 --export --export-options export-clean > keyid.pub.bin
gpg2 --export --export-options export-minimal > keyid.pub.bin
make-dns-cert -k keyid.pub.bin -n gushi.gushi.org. > keyid.dnscert

The commands for an IPGP cert are:

gpg --list-keys you at you.com
Choose your keyid from the above.
gpg2 --export --armor keyid > keyid.pub.asc
copy the ascii file somewhere where it's url accessable.
Manually copy/paste your fingerprint into the next command:
make-dns-cert -n gushi.gushi.org. -u url format (which?) -f fingerprint >keyid.dnscert

Then, publish one (and only one) CERT record in dns per-label.  In my 
case this also means signing the zone and all that.

Finally, for an _PKA record, it involves manually:

user at domain.com becomes user._pka.domain.com.
Get your keyid as above.

1) Export to a uri as for IPGP cert, above (presumably, it can be the same 

Strip your fingerprint like so:

2) gpg --fingerprint keyid | grep "Key fingerprint" | cut -d "=" -f 2 | 
sed 's/ *//g'

The format of the text record is simple:

you._pka.domain.com.  IN  TXT "v=pka1;fpr=[#1];uri=[#2]"

Where the values are substituted from the steps above.

Publish this in DNS.

Test using: dig you._pka.domain.com TXT, see if you get a result.

Test with a GPG client that doesn't otherwise have the key:

echo "foo" | gpg --auto-key-locate pka --armor --encrypt -r you at domain.com 
and see if you get an output.

So here's the laundry list:

0) Do the above look mostly-right?
1) What are the best options for exporting certs for a CERT record?  For a 
uri-styled record?  (i.e. which signatures do you want to include?)
2) Do either the pka or the IPGP standards require the key to be in 
binary/ascii format?
3) What's the "sanctioned" list of uri formats?  Where is it defined for 
4) As I'm not a c-coder, how difficult would it be to have the 
make-dns-cert output in base64 instead of binary?
5) How solid is the output of --fingerprint?  Is it likely to change 
between versions, or are the grep and sed listed likely to work most 
6) How difficult would it be to get the cert-export functions right into 
7) How difficult would it be to get make-dns-cert built-by-default?
8) (asked previously) Is it worth filing a bug on not being able to 
specify multiple keyservers for auto-key-locate?
9) (also previously) Is it worth filing a bug to not have auto-key-locate 
vomit on unsupported methods?

With the answers to the above, I'll write up a nice howto doc including 
the prereqs for all the above, the DNS requirements, and the like.



"It's three o'clock in the morning.  It's too late for 'oops'.  After
Locate Updates, don't even go there."

-Paul Baecker
  January 3, 2k
  Indeed, sometime after 3AM

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org

More information about the Gnupg-users mailing list